Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "Dozens of volunteers who anonymously donated their genomic data to a public database for medical research have been identified by a team led by Yaniv Erlich, a former computer security researcher turned geneticist. Erlich's team matched Y chromosomal markers in genomes compiled by the 1000 Genomes Project with non-anonymous genomic databases, for example some assembled from contributions by family tree enthusiasts (abstract). After finding a match on a presumed relative of the study participant, the researchers pieced together the relative's family tree through search engines and the like, until they were able to identify the participant based on gender, age, place of birth, and other supposedly 'non-identifying' information associated with the genome. The names of the identified participants have not been released."

Those of us who see these privacy problems in advance are called "tinfoil hatters" and the like, but only by the rabble who act like everything always goes according to plan.

The defender must successfully deal with every potential threat. The attacker only has to find the one thing the defender missed. Thus, security favors the attacker. In this case, the investigator trying to find out who this "anonymized" info belongs to is the attacker.

Albert Einstein explained it already. People are insane. They keep doing the same thing, over and over, expecting new and different results.

And yet, when it comes to procreation, ask any parent: every kid is radically different from the previous models. The insanity here is that us parents foolishly expect the next time around to be the *same* as previous results.

Preventing the release of your own information? Identification by genotype is a very real privacy issue, but what happened here is NOT the fault of researchers. People seeking familial ancestry information, posted some genotype information online PUBLICLY, in the hopes of finding a relative (in this case, fathers, who can be traced by the Y chromosome). Since last names are roughly patrilineal, a simple genotype match cross-referenced with last names and location made it trivial. Are people to be preven

Preventing the release of your own information? Identification by genotype is a very real privacy issue, but what happened here is NOT the fault of researchers. People seeking familial ancestry information, posted some genotype information online PUBLICLY, in the hopes of finding a relative (in this case, fathers, who can be traced by the Y chromosome).

It would have been enough for the subject's family to have posted the genealogy information - the subject may have known nothing about it. Still, you are right its not the fault of the researchers (as its impossible to fully anonymise a dataset while retaining its research usefulness).

It isn't the fault of anyone. Identification is exactly that, itendification. To identify someone or something, we have to have identifiable information. That information HAS TO BE FREE in order for identification to work. Given enough information, it will always be easy to identify specific individuals with relative certanty. That is kind of the point of identification, isn't it?

There is no PRIVACY violation here. Also, privacy is an illusion. If you want privacy, go live off the grid in some cave all by yourself.

If you want to create a "crime" for this, how about creating a general statute that basically says, "any inappropriate use of identification of individuals, without their express concent, is illegal" and then define what constitutes "Inappropriate" separately in such a way that it creates clear guidelines that spans all forms of technology used to identify people.

The problem isn't what people, or business's do with this information. That's just annoying... The problem is what the government will do with it, and they will, of course, exempt themselves from any such laws.

Socialism requires government have this information. It is, IMHO, a violation of the Fourth Ammendment. But without a viable second ammendment, good luck protecting the rights enumerated under any of the others.

1) Socialism, reporting compliance to the authorities. The moment it becomes "beneficial" to have DNA on record by the government, it will be required. Already, we are required to provide government agencies proof that we have certain things like Vaccinations and TB tests. When it becomes clear that certain gene traits lead to pedophelia then DNA scanning will take place... "for the children". Because it hasn't happened yet, doesn't mean it won't. The question is, how much "privacy" do you have when "safte

There is no PRIVACY violation here. Also, privacy is an illusion. If you want privacy, go live off the grid in some cave all by yourself.

If you give someone private information on the premise that it can't be tied to your person and that turns out to be false, of course that is a violation of your privacy even if it's nobody's fault. Personally I like some of the benefits of privacy like democracy, can't have that without private voting. Privacy is no more an illusion than free speech or due process, it exists if you make it so. But just like countries where you have no free speech and no due process, you can have no privacy too. But I would

If you give someone "private" information, it isn't private anymore. That is the nature of privacy and information. Once you tell somebody something you are at their mercy to keep it to themselves. If you want to keep a secret, don't tell anyone

If you give someone "private" information, it isn't private anymore. That is the nature of privacy and information. Once you tell somebody something you are at their mercy to keep it to themselves. If you want to keep a secret, don't tell anyone

I think you're failing to get the point.

The people involved signed legally enforceable consent forms which specifically mandate what data authorization and sharing are permitted.

The problem lies in the interpretation that release of bits of information did not violate these IRB approved contracts, when in fact, as a number of panels at scientific conferences had warned, they did violate these IRB approved contracts.

Given enough information, it will always be easy to identify specific individuals with relative certainty.

The situation is avoidable because the research data included too much identifying information. How relevant is the persons age for instance? How relevant is the specific place of birth (City for instance vs region).

There's a way to publish the data with enough uncertainty about who the individual is to make identification impossible, or extremely unlikely. I don't kno

Still, you are right its not the fault of the researchers (as its impossible to fully anonymise a dataset while retaining its research usefulness).

For researchers the way forward is to restrict access to their data. Stored data is encrypted, email/FTP is encrypted. HIPAA enforcement and potentially being banned from access to clinical trial data (in the case of egregious carelessness) would be good motivators to maintain good IT practices.

On NPR they pointed out that while it is illegal to deny or charge more for health insurance based on genetic information it is perfectly legal to deny life insurance or long term care insurance on that basis. The

I skimmed at least one of TFAs. Didn't see anything about any participant being mad about it. It did say something along the lines of "We told these people they'd be anonymous." So there is an important issue of informed consent here: the researchers were wrong when they were getting permission. Hopefully no lawyers hear about this.

It also points out that as a consequence, the data can't be distributed freely, since it could be traced back and used to discriminate against people whose only crime was trying to help science and having faulty genes.

So, no, this isn't a simple matter of "people getting mad," this is serious consequences.

It did say something along the lines of "We told these people they'd be anonymous." So there is an important issue of informed consent here: the researchers were wrong when they were getting permission. Hopefully no lawyers hear about this.

It'll only be a problem if the lawyers twist things as usual; if they didn't offer a 100% guarantee I'd say the lawyers should be toothless in society: substance over form, and propriety over vagueness, "anonymous" is only so until someone OUTS you.

It's pretty simple: Because Y-Chromosomes pass from father to son unchanged, and because last names also tend to pass from father to son unchanged, the Y-Chromosome can be linked to your last name. If you've got DNA info about someone's Y-Chromosome and their last name (in this case people gave that info to genealogy databases but it could just as easily be a police DNA database) then you can probably identify the last name of anyone else who is a match for that Y-Chromosome.

Y-Chromosome tied to your surname? Even assuming your culture has surnames in the first place, that assumption is so wrong in its generality it hurts. Patrilineal naming convention is just one of many, and for example patrinomic (where your surname is derived from your father's name, as in "Jon Olafsson, son of Olaf Magnusson") is also often in use - for example in Iceland or many Muslim countries.

The Genetic Information Nondiscrimination Act makes illegal for health insurers to discriminate based on genetic testing but life insurance, disability insurance or long-term-care insurance companies can.
http://www.kaiserhealthnews.org/Daily-Reports/2013/January/18/genetic-testing.aspx [kaiserhealthnews.org]
Those companies might find it profitable to deny insurance because you have the same name as someone in a genetic database. If they can eliminate the few people that might get some rare disease, it might be better for them in spite of the few false positives.

Thinking further, would you have a case if insurers amalgamated data and determined that Browns where x% more or less likely to have some condition? in other words, you can't discriminate on the basis of genetic testing, but could you technically work out a system to bias rates based on surname, and if so, what would be it's legal position?

That used to happen with mortgage companies. (There's a term for it, but I can't recall)

They couldn't discriminate based on ethnicity, but would exclude the parts of the city where certain people lived.

Of course, if we take this to it's illogical extreme, the insurance companies would go out of business if we could test exactly what diseases you'll get and when you will die. Insurance only works when there is uncertainty.

There are probably enough Browns and Smiths that it probably doesn't matter. However, if your last name is rarer, and 66% of the people with the name have something like Huntington's, you might be denied long term coverage.

As a fairly well-known geneticist, a study like this either, through direct dissemination or twisted discussion, is exactly what continues to worry people about giving DNA samples. I am also a lawyer and concerned about this in terms of any privacy rules which may have been violated. I am not against experiments of this type, so long as every subject knows exactly what they are getting self into. General consent forms for studies are expected to be written, in most cases, at a 5-year-old reading level - I

All I can say is that given the advances possible, the slight loss of privacy is worth it.. So if you do have the chance to volunteer for something like this do it. It's likely more dangerous to have a Facebook account where you talk about or your friends talk about your ailments.

George Church's "Personal Genome Project" has, from it's very beginning, acknowledged the possibility of this kind of exposure. In fact, you can't participate in the project without signing a consent form that makes this explicit. From their website: